b'                                                U.S. DEPARTMENT OF\n                               HOUSING AND URBAN DEVELOPMENT\n                                        OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                             November 6, 2012\n                                                                                             MEMORANDUM NO:\n                                                                                             2013-DP-0801\n\n\n\n\nMemorandum\nTO:            Jerry E. Williams, Chief Information Officer, Q\n               Karen Newton Cole, Acting Chief Human Capital Officer, A\n\n\nFROM:          Hanh Do, Director, Information Systems Audit Division, GAA\n\n\nSUBJECT:       Improper Release of Personally Identifiable Information\n\n\n\n                                           INTRODUCTION\nA breach of personally identifiable information (PII) occurred on September 21, 2012, in which\nan employee from the Office of the Chief Human Capital Officer emailed 8,444 U.S. Department\nof Housing and Urban Development (HUD) employees an Excel file that contained employees\xe2\x80\x99\nfull names and Social Security numbers. We determined that HUD responded to the incident\nproperly, following United States Computer Emergency Readiness Team (US-CERT), National\nInstitute of Standards and Technology, and HUD policy and other Federal requirements.\nHowever, we noted some areas of concern for safeguarding HUD information as well as\nsuggested improvements for limiting the exposure of HUD\xe2\x80\x99s information in the future.\n\n                                METHODOLOGY AND SCOPE\nThe Office of Inspector General (OIG) was notified of a PII incident on September 24th. We\nperformed a review to determine whether HUD followed proper policies and procedures in\nresponding to the breach of PII. Specifically, for this incident, we identified what actions were\ntaken and any deficiencies within HUD policies, plans, or current practices. We performed this\nreview at HUD headquarters from September 28th-October 19th. We interviewed members of\nHUD\xe2\x80\x99s Breach Notification Response Team who were directly involved in the identification and\ncorrective actions associated with this incident. Interviewees included the senior agency official\nfor privacy, Chief Information Officer, Deputy Chief Information Officer, privacy officer, data\ncenter services director, chief information security officer, OIG representative, and Chief Human\nCapital Officer (manager of the program experiencing the breach).\n\n                               Office of Audit (Information Systems Audit Division)\n                                451 7th Street S.W., Room 8174, Washington, DC 20410\n                                      Phone (202) 402-0344, Fax (202) 401-1578\n                           Visit the Office of Inspector General Website at www.hudoig.gov\n\x0c\x0c\x0c\x0cbcc:\nG       Montoya         8256\nG       Albert          8256\nG       Chron           8256\nGA      Rokosz          8286\nGA      Chron           8286\nGAA     Do              8174\nGAA     Bagley          8174\nGAA     Bardak          8174\nGAA     Chron            8174\n\n\nConcurrence:\n\nAdmin          Bardak    Bagley   Do   Rokosz   Albert   Montoya\n\n\n\n\n                                   5\n\x0c'